Webapp Enum Methodology

Take note of EVERYTHING, when in doubt, write it down.

  1. Enumerate Services running with nmap

  2. View page source, look for versions, comments,hyperlinks

  3. Add the target to /etc/hosts (particularly for wordpress)

  4. Remember to try BOTH http and https

  5. Inspect element and check response headers

  6. use dirb/gobuster/ferox/ffuf , try different wordlists

  7. Speaking of wordlists, use custom and service specific (.cgi)

  8. Look for subdomains with wfuzz (refer to "tools" node)

  9. Use whappalyzer and whatweb to discover services running

  10. Check certificates and see if there's anything juicy

  11. Check robots.txt and any disallowed entries

  12. Check for default creds for a specific service running

  13. Bruteforce login pages as a last resort, try common combos

  14. Check for SQLi and XXS

  15. See if a path traversal is possible, then --> RCE/LFI

  16. If RCE gets hard, try php filters

  17. Check if you can steal or manipulate cookies in any way

  18. Cookie flag IsAdmin=false , change it to IsAdmin=true

  19. Intercept requests with burp and look for versions, software..

  20. Searchsploit should be the last step, enumerate first!

PreviousMongoDB 27017NextIIS

Last updated